COMMAND

    AdCycle

SYSTEMS AFFECTED

    AdCycle versions up to and including 1.15

PROBLEM

    Following is  based on  a qDefense  Advisory Number QDAV-2001-7-2.
    In Short: AdCycle does not propely validate the user input.   This
    input is used to  form SQL commands, which  are passed to a  mySQL
    database.  By submitting  cleverly crafted input, an  attacker can
    bypass the administrator password check.

    In  file  AdLogin.pm,  AdCycle  uses  the following SQL command to
    authenticate a user signing in:

        SELECT * FROM ad WHERE LOGIN='$account' AND PASSWORD='$password'

    If an attacker  signs in, using  a account name  of "ADMIN" and  a
    password of

        X ' OR 1 #

    an attacker can cause AdCycle to use the following SQL command:

        SELECT * FROM ad WHERE LOGIN='ADMIN' AND PASSWORD='X' OR 1 #

    The pound sign  cause mySQL to  ignore the trailing  single quote.
    Since anything OR  1 is true,  the query will  return a recordset,
    and  AdCycle  will  think  that  the attacker has authenticated as
    administrator.

    Administrator  status  allows  one  to  modify  the  various  ads.
    qDefense  has  not  determined  if  an  attacker can cause command
    execution using this technique.

SOLUTION

    AdCylce has  released an  upgrade, version  1.16, which  validates
    user input.